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(54) A method of securing software configuration parameters with digital signatures 

(57) A system and method tor enforcing configura- 
tion parameters and detecting tampering of configura- 
tion files used by a software application. An enforced 
configuration packet (ECP) fie generator (1 10) gener- 
ates an enforced configuration packet (ECP) file (106) 
from a configuration parameter description file (108) 
containing a eel of configuration parameters (<ID, 4 
VALUE )). The ECP file (106) includes a set of enforced 
configuration pact** (<ID» VAUUE, FINGERPRINT)), 
which each include one of the configuration parameters 
from the ECP description file (1 08) and a corresponding 
configuration parameter fingerprint ((FINGERPRINT)) 
unique to that particular configuration parameter. At 
startup of the software application (102), an ECP fOe 
reader (104) validates the ECP file (108} and each of 
the enforced configuration packets contained in the 
ECP f Be. Validation is achieved by regenerating the con- 
figuration parameter fingerprint of each configuration 
parameter and comparing the regenerated fingerprint to 
the fingerprint contained in the enforced configuration 
packet, ff any of the fingerprints in the enforced configu- 
ration packets do not match their regenerated finger- 
print the ECP file reader (104) indicates that the 
configuration parameter fingerprint is not valid, ff all of 
the configuration parameter fingerprints match up to 
their regenerated fingerprints, and the ECP tie (106) 
itself is determined to be valid, the configuration param- 
eters encoded in the ECP file (106) are used by the soft- 
ware appBcation (102) to set up its configuration. 
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Description 

FWpfftSlnvfftttaO, 

[00O1] The present invention relates generally to the s 
field of software security, and more particularly to a sys- 
tem and method for securing software configuration 
parameters with digital signatures. 

PflclwwnjtfihelnygniiQn " 

[0002] Present day computer software is typically gen- 
erated by a software manufacturer and shipped as a set 
of ties. These ties may include an installation program, 
one or more executable Hies, a set of library or data te 
files, and configuration files. Typically, the end user of 
the software runs the installation program, which copies 
the executable files and libraries into appropriate direc- 
tories, and configures the software acoorcSng to config- 
uration parameters contained in the configuration files. 20 
Often, the software conjuration may be customized by 
either an intermediate customer (i.e. an Original Equip- 
ment Manufacturer (OEM) or Value Added Reseller 
(VAL) selling to end users) or by the software manufac- 
turer working witii the intermediate customer to meet 2s 
the customers' particular needs. Software configuration 
customization is typically achieved today by providing a 
set of user customizable configuration f ilea which may 
be modified by the intermediate customer, or by the 
manufacturer according to the customer's specrfica- so 
tions, to configure the software to provide specific soft- 
ware options for the end user. An example of a 
configuration file may be a menu registration file that 
contains corfiguration parameters that describe the 
types, layout and functionality of menu bars displayed in 33 
conjunction with, and utilized by, the software applica- 
tion. The menu registration file is typically in text format, 
where each cffferent menu bar is specified by Including 
an entry containing a menu identifier and textual 
description of the contents or functionality of the menu. *o 
The contents of the menu registration file are used to 
generate the menu bar. Accordingly, if a customer 
requires an additional menu bar, the menu registration 
file may be modified 10 include an entry containing the 
menu Identifier and information from which to generate 45 
the new menu bar or additional foes from witch to add 
new functionality to the menus. 
[0003] The above described mechanism tor providing 
customer-specific software configurations is both effi- 
cient and convenient in terms cf development and main* so 
taxability for software manufacturers, intermediate 
customers, and end users. Specially, the original exe- 
cutable software may be modified, and the new revision 
may be shipped and installed by end users without 
requiring a special version of software to be created for *s 
each customer specific configuration. In addition, an 
intermediate customer may add, remove, and modify 
configurable features that ft warns to ship to its end 



users simply by modifying the customer specific config- 
uration files, rather than requiring a special version of 
software to be created forte new customer specific con- 
figuration. 

[0004] One aspect of providing customizable corfigu- 
ration files that has heretofore been unaddressed is the 
vulnerability of the customizable configuration files to 
end-user tampering. Specifically; software manufactur- 
ers provide non-secure customizable configuration files 
to aQow an intermediate customer to edit these configu- 
ration files, as for example to Specify particular menu 
items and software functionality. However, these same 
customizable configuration files containing customized 
configuration parameters may also be shipped to the 
end user in non-secure form, ft may be undesirable to 
certain customers to allow end users to have access to 
its customer specific configuration files. Accordingly, a 
need exists for a mechanism which allows a software 
manufacturer and a customer to customize the software 
configuration and thai to secure the configuration 
parameters to disallow tampering by unauthorized 
users 

gummary of the Invention 

[0003] A novel system method of errforcing a software 
configuration parameters in a software application for 
end users and for ensuring that configuration parame- 
ters and configuration ties have not been tampered with 
is presented herein. In accordance with the system of 
the invention, an enforced configuration packet (ECP) 
19e generator is provided to generate an enforced con- 
figuration packet (ECP) file from a configuration param- 
eter description file, which contains a set of desired 
configuration parameters. The ECP Tile generator gen- 
erates a fmgerpnnt for each of the configuration param- 
eters contained in the ECP description file and 
packages them each into a respective enforced config- 
uration packet which is output to the ECP tHe. Each 
enforced configuration packet includes a configuration 
parameter and a configuration parameter fingerprint. 
Further in accordance with the system of the invention, 
an ECP file reader is provided which validates the 
enforced configuration packet in the ECP f Be and reads 
the configuration parameters If the ECP fDe and each of 
the ECP configuration parameters are vaj id. tf any of the 
ECP configuration parameters or the file itself is invalid, 
the ECP ffle reader indicates that the configuration 
parameter is not valid. 

(0006] In a preferred embodiment, a configuration 
parameter may include a name of a file or a string of 
filenames whose contents are included when generat- 
ing the configuration parameter fingerprint Also In a 
preferred embodiment, a configuration parameter may 
be overrtdable by a corresponding configuration param- 
eter encoded in another ECP file such that as long as at 
least one of the enforced configuration packets in one of 
the ECP mes includes a valid fingerprint 01 the cortffcu- 
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ration parameter, the ECP file reader interprets it as 
valid 

[D007] A key parameter may be used to generate a 
key fingerprint to allow only authorized users to run the 
appBcatton. lypioa&y, the key parameter wOl be an inter- 
mediate customer key, which may be included tor exam- 
ple in a software registration code stopped with the 
software. Without a vaGd key parameter, the ECP fie 
redder does not return the configuration parameters, 
and accordingly, the software application will not allow 
the user to run the application. 
[0008] An addhionaJ security feature is the ind uefon Of 
an end-of-f 3e (EOF) fingerprint appended to the end of 
the ECP fie. The EOF fingerprint is generated on the 
entire contents of the ECP fie to ensure that none of the 
contents of the ECP file rtsert have been tampered with. 
10009] In accordance with the Invention, the method 
includes steps for generating a configuration parameter 
description file comprising a configuration parameter, 
generating an enforced configuration packet (ECP) ffle 
comprising the configuration parameter and a configu- 
ration parameter fingerprint and providing the software 
application with means tor validating the enforced con- 
figuration packet in the ECP fife. Preferably, the software 
application includes steps tor utilizing the configuration 
parameter rf the enforced configuration packet is valid, 
and disallowing use of the configuration parameter if the 
enforced configuration packet is not valid. To ensure 
that the contents of fries named in the configuration 
parameter, the configuration parameter fingerprint may 
also be generated on contents of the file or files named 
in the configuration parameter. 
(001 OJ To ensure that an authorized user is running 
the application, the method of the invention may also 
include a step tor generating a key fingerprint on a key 
parameter and appending the key fingerprint to the con- 
tents of the ECP lile, wherein the key parameter must 
be known to validate the ECP file. The method may also 
include a step for requiring the means tor validating the 
enforced configuration packet in the ECP file to perform 
the steps of generating a regenerated key fingerprint on 
the key parameter; comparing the regenerated key fin- 
gerprint to the key fingerprint in the ECP file; and return- 
ing an error code if the regenerated key fingerprint and 
the key fingerprint do not match. 
[0011] To ensure mat the ECP f Be itself has not been 
tampered with, me method of the invention may also 
include steps for generating an enckrf-file (EOF) finger- 
print on entire contents of the ECP file after the enforced 
configuration packets are generated and appending the 
EOF fingerprint to the contents of the ECP file: and 
requiring the means for validating the enforced configu- 
ration packet in the ECP file to perform the steps of gen- 
erating a regenerated end-oMile (EOF) fingerprint on 
the contents of the ECP f Ha; comparing the regenerated 
EOF fingerprint to the EOF f ingerprim in the ECP file; 
and returning an error code if the regenerated EOF fin- 
gerprint and tha EOF fingerprint do rot match. 
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[0012] The objects and advantages ol the invention 
will become more apparent and more readily apprecJ- 

5 ated from the following detaied description of the pres- 
ently preferred exemplary embodiment of the invention 
taken in conjunction with the accompanying drawing, of 
which: 

10 RG. 1 is a block diagram of a system in which the 
invention may operate; 

FIG. 2 is an example format of an ECP description 
file; 

FIG. 3 is an example data structure format for reg- 
r5 fetation of configuration parameter IDs; 

RG. 4 is an example formal of an ECP file; 
FlG. 5 Is a flowchart of the functionality of a pre- 
ferred implementation of an ECP fie generator: and 
FIG. 6 is a flowchart of the functionality of a pre- 
20 ferred implementation of an ECP file reader. 

P6tfted Description o f the Present Invention 

[0013] A mechanism tor securing software configura* 

6 Son parameters is described herein which provides the 
ability for a software manufacturer and a customer to 
customize the software configuration and then to secure 
the configuration parameters to disallow tampering by 
unauthorized users. Specflicafly, after the customer 

30 determines its desired customer specific configuration, 
tie configuration parameters and files are secured in an 
enforced configuration package. At software installation 
or startup time, the enforced configuration packages are 
validated to determine whether tampering has 

$$ occurred. If tampering of the enforced configuration 
packages is detected, (he software application is alerted 
and handles the tamper message accordingly. 
[001 4] Fta 1 illustrates a block diagram of a system 
in which the hvention may operate. In Ft$. i, software 

40 application 102 may be configured using any or aj of 
configuration flea 112. 114, 1 16 as determined by the 
contents of ECP file 106. Software appfcation 102 is 
typically shipped with all of configuration ties 112-116. 
If no ECP f fle exists and the software is licensed for a full 

<u configuration, application 102 configures itself using all 
of configuration files 112, 114, 116, ignoring any exist- 
ing ECP foes, fi the software is licensed for a limned 
configuration, however, software application 102 
searches for an ECP file, rf an ECP fie does not exist 

so under a fimrted configuration license, software appfca- 
tion 102 preferably wia not allow the user to run rL If an 
ECP file does exist under a limited configuration license, 
however, the read ECP file routine 104 reads and vali- 
dates the ECP file and extracts the customer specific 

ss configuration (i,e.. the particular configuration Res 1 12 • 

116 to utilize when configuring the software). ECP file 
106 includes configuration parameter envies which 
each preferably include a parameter identifier, a param- 
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eter value, and a parameter fingerprint ECP fie 1 06 
generated from an ECP description file 108 using an 
ECP file generator HO- The ECP description file 108 '« 
typically developed by an intermediate customer, or by 
the software manufacturer working in conjunction with 
the intermediate customer. The ECP fBe 106 is then 
generated at the factory using ECP fie generator 110. 
Preferably, only the ECP file 108 (and not the ECP 
description tie 108} is shipped to end users to prevent 
end users from tampering with the customer specific 
configuration parameters. 

[0015] As also shown in FIG. 1, application 102 
irtdudes an ECP fBe reader routine 104. In a preferred 
embedment, and as embodied in FIG. l r application 
102 is implemented in an object-oriented language 
such as C++, and the ECP file reader routine 104 is 
implemented in an ECP object comprising a 
READ^ECP API method Application 102 executes a 
method call on READ_SCP of the ECP object 
READ.ECP accesses ECP file 106. validates each 
entry utflizing its associated fingerprint and any files 
associated with each entry mat are required to also be 
validated, and either returns the configuration encoded 
in the ECP f3e 106 if no tampering is detected, or an 
error code if tampering is detected. If no tampering is 
detected, the value returned by the READ_ECP method 
irticates which configurator! files 1 12-1 16 the software 
application 103 is to use for its configuration. For exam- 
ple, if the ECP file includes entries for configuration files 
112 and 114, ^plication 102 configures itself using 
configuration files 1 12 and 114, but not configuration fie 
116. 

[001 6] FIG. 2 Is an example format of an ECP descrip- 
tion file. As shown in FIG. 2. each configuration param- 
eter entry is set forth on a separate line fri the format 
(ID, value) which includes a configuration parameter 
identifier (ID) and a configuration parameter value. The 
configuration parameter ID is a pre-defined identifier 
whose name and type are known by the ECP file gener- 
ator 1 10. The configuration parameter value is the 
actual value of the configuration parameter. The type of 
the value must correspond to the type of the id as 
defined within the ECP fie generator 110. 
[0017] Preferably, each configuration parameter ID is 
a parameter name which is registered within the ECP 
file generator 1 1 0 and which has a parameter type and 
a set of parameter flags associated with it The parame- 
ter name, type, and flans are preferably defined in a 
static data structure within the ECP fBe generator 110. 
FIG. 3 illustrates an example data structure format for 
registration of configuration parameter IDs. In the pre- 
ferred embodiment a parameter type may be a 'string- 
for elements such as a fie name, a "string GsT for ele- 
ments such as a fist of event categories or list of files, or 
an Integer tor elements sucn as counters or other sca- 
lar values. 

{00181 In addition, the parameter flags intfeate the 
type of validation that should be performed on the 
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parameter by the ECP file reader routine 1 04 when the 
ECP file is validated and read In the embodiment 
Shown in FIG. 2, the parameter flags may include a 
"CheckContents* flag which tells the ECP fie generator 

5 110 that the configuration parameter, of type string or 
string list contains a He or files whose contents must be 
digrtaHy signed, thus mating mem tamper proof. The 
parameter flags may also Include a "Relative PatfT flag 
which indicates to the ECP file generator 1 10 that the 

w configuration parameter is a fie whose path is relative 
from a defined location, which is preferably registered 
wfflrin the ECP fBe generator 110 tn the parameter 
name data structure. The parameter flags may also 
include an 'Overridable'flag which rnefcates to the ECP 

15 fie generator 1 1 0 that multiple packages may define tie 
parameter and that at least one of them should have a 
valid entry. This flag may be used for Hems such as 
where the application expects to find either a defaufi 
item that is always shipped with the software or a cus~ 

ao tomized item that the customer ships to the end user, ft 
will be appreciated by those stalled in the art that the for- 
mat of the ECP description file may vary from imple- 
mentation to implementation. Accordingly, the 
embodiment of FtG. 2 is shown by way of example only, 

2s and not limitation. 

[0019] In the example ECP description file shown in 
FIG. 2 and corresponding registration data structures 
shown in RG. 3, REG^FILE is a configuration parame- 
ter ID of type string fist having the CheckContents flag 

so set. which indicates that the fingerprint generated for 
the configuration parameter should include the contents 
of the file named in the configuration parameter value, 
and the RetatrvePath flag set to indicate that the named 
fBe value may be found at the relative path value 

99 ^^APPLICATIONVCONFIGV*. In this errtafrrtent 
each element in the string Sst is declared on a separate 
One but is made available via the READ_ECP API 
method implemented in the ECP file reader routine 104 
as a fist of all defined values having ID REG_FILE. As 

40 also seen in the example of FIGS. 2 and 3, 
FILTER_FILE is a configuration parameter ID of type 
string, and has flags CheckContents, RelativePath, and 
Overridafale set, which Indicate that the contents of the 
named file. FILTER J should be Included In the finger- 

45 print, that Ihe directory where filterj may be found 
is in 

X:\APPUCATON\OONFIG'\ and that the fiie 
FILTER J may be overridden by a customer specific fil- 
ter file. As also seen in the example of FIGS. 2 and 3. 
so MAPJMAME is a configuration parameter ID of type 
string, a USER.COUNT is a configuration parameter of 
type integer. 

[0020] FIG, 4 is an example format of en ECP f2e gen- 
erated by ECP file generator 1 1 0 from ihe example ECP 
55 ffie shown In FIG. 2. As shown in FtG. 4, the ECP file 
looks identical to the ECP description file, except that 
each configuration parameter entry includes not only a 
configuration parameter identifier (ID) and a corrf igura- 
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tion parameter value, but also a digital fingerprint value, 
in other words, each entry in the ECP filets set forth on 
a separate line in the format ID. value, fingerprint). The 
value of each fingerprint is preferably a digital signature 
of the configuration parameter ID, value, and contents of 
the fee named in the configuration parameter value if 
the CheckConterrte flag is set Preferably, the digital sig- 
nature is generated using a combination of a digital sig- 
nature generation algorithm (e.g>, the weD-known MD5 
algorithm) and an encryption aJgorfthm (e.g., the wen- 
known Tiny Encryption Algorithm (TEA)) to allow the fin- 
gerprint to be easily generated, yet difficult to reverse 
engineer without the proper key. tn a preferred embodi- 
ment, the proper key for regenerating the fingerprint is 
encoded into the license registration number of the soft- 
ware apportion. The purpose of the configuration 
parameter fingerprint is to ensure mat the parameter 
and its value (and the value's contents, if applicable) 
have not been tampered with. In addition to each config- 
uration parameter entry having an associated finger- 
print, the ECP file embotied in FIG. 4 also includes a 
beginning of file (BOP) fingerprint and an end of tile 
(EOF) fingerprint The BOf fingerprint is preferably a 
digital signature on a customer key assigned to the par- 
ticular intermediate customer. Typically the customer 
key is derived from a license registration number 
shipped with the software. The purpose of the BOP f in- 
gerprint is to ensure that the ECP fHe is used only on the 
customer's platform and also ensures the integrity of the 
ECP hie and customer Key, The EOF fingerprint is a 
final digital signature on the entire contents of the ECP 
file. The purpose of th e EOF fingerprint is to ensure that 
the ECP file itself has not been tampered with. 
[0021] FIG. 5 is a flowchart of the fUnctfcnality of a 
preferred implementation of ECP toe generator i io. As 
shown in FIG. 5, ECP ffie generator 110 begins with 
step 502 by initialing its internal data structures, as 
shown in FIG. 3. Arxorduigly, a data structure is allo- 
cated for each predefined configuration parameter iden- 
tifier, and the type, flags, and relative path associated 
with that particular configuration parameter ID are set 
according to its definition (i.e., ID name, type, flags, and 
path) as known by the ECP file generator 1 10. Thus, as 
illustrated in PIG. 3, a data structure "rs allocated tor 
each ID (U.. REG_FiLJE, FilTEFLFILE, MAP_NAME. 
and USER.COUNT), and the values of its associated 
type, flags and path are filled in. The configuration 
parameter ID definitions may be defmed statically within 
the software, or may be configurable as for exarrple by 
storing all configuration parameter ID definitions in a 
table or separate file which may be modified to support 
different configuration parameter IDs. 
[0022] In a step 504. the ECP file generator 110 reads 
the customer key, which may be input as a parameter to 
the ECP fie generator 110 or may be at a location 
known by the ECP file generator 1 10. After resting the 
customer key, the ECP file generator 110 generates a 
digital signature on the customer key and outputs it as 
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the BOF fingerprint to the ECP tte 106. 
[0022] The ECP We generator 110 then reads the 
ECP description f fle 108 in step 505 to identify ID, value 
pairs. In a preferred embodiment, the ECP tie generator 

5 1 10 creates a table contain ng each ID in one column, 
and an values associated wfth that ID in a second col- 
umn. 

[0024] in a step 508, the ECP tie generator 1 10 then 
generates a fingerprint for each of the ID value pairs. 

w The fingerprint for an ID value pair may include the 
actual name of the configuration parameter ID (e.g., 
REGLPILE) and the value of the configuration parame- 
ter fog., CONPK2L1). If the CheckContents flag for the 
configuration parameter is set, the fingerprint will also 

15 include the digital signature of the fle that was 
deserted by thai parameter. As an illustration, the 
value of each configuration parameter of ID REG_FIUE 
is actually the name of a file. Because CheckContents is 
set for all configuration parameters having a REG_FILE 

so ID, the contents of each He named as a value of 
REG_FILE is included in the signature for the ID. value 
pair. 

[0025] In a step 510, the ECP tile generator 1 10 out- 
puts the «D r value, fingerprint Jentries to ECP file 106. 

25 [0026] In a step 512. ECP fOe generator 110 gener- 
ates an end-oMile (EOF) fingerprint on the entire con- 
tents of the ECP file 106 and appends the EOF 
fingerprint to the end of me ECP file 1 06. 
[0027] FIG. 6 is a flowchart of the functionality of a 

30 preferred implementation of the read ECP fle routine 
104. As shown in FIG. 6, ECP file routine 104 begins 
with step 602 by looking for ECPfBes. In the preferred 
embodiment, the location of the ECP f See are known by 
the read ECP fDe routine 104. Preferably the software is 

6 shipped with e customer specific default ECP file. To 
allow intermediate customers to provide different con- 
figurations to Afferent end user customers, the interme- 
diate customer may be provided with an ECP file 
generator to alow it to generate one or more additional 

40 ECP 1966 which contain configuration parameters that 
override the default configuration parameters. This 
allows the intermediate customer to ship the software 
manufactured by the software manufacturer containing 
its customer specific default ECP file along with one or 

45 more additional configuration flee it may have devel- 
oped to operate with the software and an accompanying 
ECP file to prevent end users from mot&fying the corrf ig- 
ura&on ffies and parameters, in this errfeodiment, the 
ECP file reader routine 104 looks in a particular cfrec- 

5a lory tor the default ECP Me and any additional customer 
generated ECP files. 

[0028] In a step 604. ECP file reader routine 104 gen- 
erates a fingerprint on the entire contents of the ECP Me 
106 and comperes it in step 606 to the EOF finp^rprirtt 
55 to the end of me ECP fHe 1 06. If the fingerprint does not 
match the EOF fingerprint, the ECP file reader routine 
104 returns an appropriate error code in step 618 and 
exits. 
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[0029] If the EOF fingerprint Is vafid, the ECP file gen- 
erator 110 then reacts the customer key in step 608, 
which may be input as a parameter to the ECP file gen- 
erator 110 or may be at a location known by the ECP ffle 
generator 1 10. After rearing the customer key. the ECP b 
file generator 110 generates a fingerprint on the cus- 
tomer Key and compares it to the BOF fingerprint in the 
ECP file 106 in step 610. H the fingerprint does not 
match the BOF fingerprint, the ECP file reader routine 
104 returns an appropriate error code in step 618 and 
exits. 

[0030] If the BOF fingerprint te valid, the ECP tie 
reader routine 104 then reads the ECP description fie 
106 in step 61 2 to identify and match up ID. value pairs. 
In a preferred embodiment, the ECP file reader rout** 
1 04 creates a table containing each ID in one column, 
and ail values associated with that id in a second col- 
umn. 

[0031] tn a step 614, me ECP file reader routine 104 
then generates a fingerprint for each <IQ va)ue)pa?r and 
compares in step 616 the generated fingerprint with the 
corresponding fingerprint contained in the ECP file. The 
fingerprint for an ID value pair may include the actual 
name of the configuration parameter ID (e.g., 
REG_FILE) and the value of the configuration parame- 
ter (e.g, CONFIGJ). If the CheckCortents flag for the 
configuration parameter is set, the fingerprint will also 
include the digital signature of the fae that was named 
as the value of that parameter, If the OvorrttfaWe flag is 
set tor an ID, the ECP f Be reactor routine 104 interprets 
this to mean that more than one possae fees exist as 
the value of this particular configuration parameter. For 
example, a default titer ffle may be shipped with the 
software application which the customer may override 
with a customer-specific filter ffla In this case, it may still 
be desired to secure the configuration parameter (i.e., 
the default filter f9e rteerf). Accordingly, the CheckCon- 
tents flag is set to indicate to the ECP fie reader routine 
104 to include the contents of fre default configuration 
file when generating the fingerprint for the configuration 
parameter. In addition, the OverrtdaWe flag indicates to 
the ECP file reader routine 104 that a customer specific 
filter file may exist, and as long as one of the potential 
configuration files has a valid fingerprint no error should 
be signaled. 

[0032] Once a fingerprint is generated for an <JD. 
value >pair. me fngerprtnt is compared to the fingerprint 
of the 0D, value>pair from the ECP file 106 in a step 
616. » the fingerprints do not match, an appropriate 
error is returned in step 616. 
[0033] If the fingerprints do match, a step 620 checks 
for additional (ID, value >pairs to validate, and steps 612 
- 620 are repeated until each of the (ID, value) pairs 
have been validated. 

[0034] In a preferred embedment of the software 
application 102 of FIG. 1, which as descrtoed earter is 
implemented in an object-oriented language such as 
C++, the ECP object implementing the ECP file reader 



rouSrte 104 is initialized at startup of the application 
102. Accordingly, at initialization, the READ_ECP API 
method searches for ECP file 1 06. validates and reads 
ECP f2e 106* and returns a list of configuration files (i.e., 
any combination of configuration files 112 - 116) 
accorcSng to which Vie application 102 is to be config* 
ured. Application 102 then reads each configuration fie 
in the returned list and configures itself according to 
those configuration ties. The listed configuration files 
describe the took and functionality of the software appli- 
cation to the end user according to the customer's spec- 
ifications. 

(003$] As described in detail above, the present inven- 
tion provides a method of enforcing a software configu- 
ration for end users. In addition, As invention provides a 
method for ensuring that configuration parameters and 
configuration files have not been tampered with, ft will 
be appreciated by those skilled in the art lhat the princi- 
ples of the present invention may be extended to 
enforce any type of static mapping of name to values, 
and to determine whether any type of data storage files 
have been tampered with. Accordingly, while ilustrative 
and presently preferred embodiments of the invention 
have been described in detail herein, ft is to be under- 
stood that the inventive concepts may be otherwise var- 
iously embodied and employed and that the appended 
claims are intended to be construed to include such var- 
iations except insofar as limited by the prior art 

Claims 

1. A system for securing software configuration 
parameters used by a software application (102), 
comprising: 

an enforced configuration packet (ECP) foe 
generator (no) which receives a configuration 
parameter description file (108) and generates 
an enforced configuration packet (ECP) fQe 
(106), said configuration parameter description 
ffle (1 06) comprising a configuration parameter 
(<ID. VALUE) and said ECP tie (106) compris- 
ing an enforced configuration packet ((ID, 
VALUE. FINGERPRINT)) comprising said con- 
figuration parameter end a configuration 
parameter fingerprint ((FINGERPRINT)); 
an ECP file reader (104) which vacates said 
enforced configuration packet in said ECP file 
(106), and returns a return value comprising 
said configuration parameter if said enforced 
configuration packet is valid and returns said 
return value comprising an enor code if said 
configuration parameter is not veld. 

2. The system of claim l, wherein: 

said software application (102) receives said 
return value from said ECP file reader (104) 
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11 

and utilizes said conf igurat ton parameter if sakJ 
return value comprises said configuration 
parameter, and disallows use of said configura- 
tion parameter if said return value is an error 
code. 5 

3. The system of claim i or 2, said configuration 
parameter comprising a file nana 

4. The system of claim 3, said configuration parame- w 
ter fingerprint generated on said configuration 
parameter and contents of said f8e name. 

6. The system of cJain s, said configuration paramo- 

ter ftigerprint generated on contents of said file 15 
name, 

& The system of Ctaim 1. 2, 3, 4 or 5. said ECP fie 
generator (1 1 0) generating a key fingerprint (<BOF 
F1NQERPRINT>) on a key parameter (CUS- so 
TOMER KEY) and inducing saW key fingerprint In 
said ECP file (106). said key parameter being 
required to be known to validate said enforced con- 
figuration packet 

£5 

7. The system of claim 6. said ECP file reader (104) 
generating a regenerated key fingerprint on said 
key parameter (CUSTOMER KEY), comparing said 
regenerated key fingerprint to said key fingerprint 
(BOF.RNGERPRIKT) in said ECP file (106). and so 
returning an error code if said regenerated key fin- 
gerprint and said key fingerprint do not match. 

8. The system of claim 1.2,3, 4,5, 6 or 7, said ECP 

file generator (1 10) generating an end-of -file (EOF) as 
fingerprint on entire contents of said ECP file (106) 
after said enforced configuration packets are gener- 
ated and appending said EOF fingerprint to said 
contents of said ECP fie (106). 

40 

9. The system of daim 8. said ECP file reader (104) 
generating a regenerated end-of -file (EOF) finger- 
print on said contents of said ECP ft a, comparing 
said regenerated EOF fingerprint to said EOF fin- 
gerprint in said ECP file, and returning an error 45 
code if said regenerated EOF fingerprint and said 
EOF fingerprint do not match. 

ia The system of claim i, 2, 3. 4, 5, 6, 7. 8 or 9. 
wherein: so 



figuration packet containing a valid configura- 
tion parameter fingerprint, and returns said 
return vatue c omp r is ing an error code if none of 
said corresponding enforced configuration 
packets is valid. 



£5 



so 



35 



40 



said configuration parameter «ID, VALUE)) is 
overridabie. and 

said ECP file reader (104) validates a corre- 
sponding enforced configuration packet ((ID. ss 
VALUE, FINGERPRINT)) in at least one other 
ECP file, returns a return value comprising said 
configuration parameter of said enforced con- 
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ECP DESCRIPTION FILE 



REG.FILE, CONFIGJ 
REG.FILE, CONFIG_2 
FILTER./ ILE, FILTERJ 
MAP.NAME. MAP J 
USER.COUNT 1 



FIG. 2 



PARAMETER 10 REGISTRATION DATA STRUCTURES 



REG FILE: 




TYPE: 


STRING UST; 


FLAGS: 


CheckContents, RelativePath; 


PATH: 


•C:\APPLICATION\CONFIG\* 


FILTER FILE: 




TYPE: 


STRING; 


FLAGS: 


CheckContents, RelativePath, Ovem'dable; 


I PATH: 


•C:\APPUCATION\CONFIG' 


MAP NAME: 




TYPE: 


STRING: 


FLAGS: 




PATH: 




USER.COUNT: 




TYPE: 


INTEGER; 


FLAGS: 




PATH: 





FIG. 3 

ECP FILE 



<BOF FINGERPRINTS 
REG.FILE. CONFIGJ. FINGERPRINTJ; 
REG.FILE, C0NFIG.2. FINGERPRINT.2; 
FILTER.FILE, FILTERJ, FINGERPRINT_3; 
MAP.NAME, MAPJ, FINGERPRINT 4; 
USER.COUNT, 1, FINGERPRINT_5; 
<EOF FINGERPRINT> 

FIG. 4 
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502 f~ 



INITIALIZE INTERNAL 
DATA STRUCTURES 



504 

1 



GENERATE BOF FINGERPRINT; 
OUTPUT TO ECP FILE 



506 f 

1 



READ ECP DESCRIPTION FILE; 
MATCH UP <ID, VALUE> PAIRS 



508 



GENERATE SIGNATURE ON 
EACH <tD, VALUE> PAIR 



5 >2^U 



X 



OUTPUT <ID, VALUE, FINGERPRINT> 
ENTRIES TO ECP FILE 



5 &\ GENERATE EOF FINGERPRINT; 
OUTPUT TO ECP FILE 



D 



FIG. 5 
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•04 r 

1 



LOOK FOR ECP FILES 



GENERATE FINGERPRINT ON 
CONTENTS OF ECP FILE 



BOB 




READ CUSTOMER KEY 
GENERATE FINGERPRINT 
CUSTOMER KEY 



3 



612 



614 




READ ECP DESCRIPTION FILE: 
MATCH UP <1D, VALUE> PAIR S 

i 

GET <IO,VALUE> PAIR: 
GENERATE FINGERPRINT 



□ 




618 




RETURN CONFIGURATIOI 
PARAMETERS 



atkhTn 



C~ RETURN s. 
ERROR CODE^X 



FIG. 6 
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